Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Yeah, I'm going to ask other members to look at the Farbarand ESETlogs.

I know nothing here about these things, so I will listen to any comments and/or advice from those more knowledgeable.

Quote:

Under "Bamital & volsnap Check "

Where are you seeing this??

Quote:

C:\Windows\system32\rpcss.dll

[2009-10-31 07:46] - [2009-04-11 01:28] - 0550912 ____A (Microsoft Corporation) 150DB93F1299491B4AF6025650035AFD
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.

I googled the MD5 and it is unique - no matched found.

I don't understand. What are you looking at? What are you looking at that shows that "attention" remark??

That RPCSS.DLL is no longer in C:\Windows\System32, having been deleted by HitmanPro.

Quote:

In the Farbar Additionalfile, there are a number of recent (today) events in the event logs.
Look at the tail end of the file or use event viewer on the system.

What "recent events" are you referring to?

Quote:

I'd feel more comfortable if a member on the security team took a look. Jacee has already stopped in and is a bit familiar with thread.

It was suggested that I invite Noeldp to look at this thread, and I've PM'd him.

Well, not surprisingly, it's unhappy with the state of RPCSS.DLL... and if I read the details correctly also says it cannot do the repair because the backup is also damaged.

I've edited the SFCDETAILS.TXT file to contain only the relevant "problematic" sections, eliminating the insignificant lines.

You know... maybe the version that is over on the D Recovery Partition is a GOOD ONE, not a copy of the bad one! The date on the D-version is from 1/19/2008 2:36:17AM 547,328 bytes, whereas the problem one found by HitmanPro was dated 2009 and is 3,000 bytes larger.

So even though the repair of C's RPCSS.DLL cannot be done because the C-backup is also corrupt, it seems possible to recover it from the D-version if we believe it to be a valid one.

Do I need to run SFC /SCANNOW three times in a row, to eventually find the correct original 2008 backup?

If you look at my earlier screenshot where I was looking for RPCSS.DLL with Everything, you see that it occurs in MULTIPLE folders in C:\Winsxs. And there is one from 1/20/2008 which is the correct 535KB (which is the correct size, if we go by what is shown in the screenshot living on the D Recovery partition), whereas the later backups starting in 2009 are 538KB (which is the problematic size).

I've never used SFC /SCANNOW, but I do know that sometimes you need to run three "repairs" in order to finally get things fixed. I guess each subsequent repair uses a successively older backup??

Note from the following screenshot that it looks like the SFC repair I just did has restored a version of RPCSS.DLL into C:\Windows\System32... and it's the defective one.

I'm going to run the repair three more times, and see if I can recover that 2008 version which should be the right one.

Well, I guess my guess was wrong. Doesn't pick up successively older backups with each running of SFC /SCANNOW. It just leaves the 550,912 byte version.

Obviously the 547,328 byte version from 2008 is now clearly recognized as the right original Windows version to shoot for (which matches the untouched version on the D Recovery partition).

Re-run of HitmanPro again again deletes that version (although it's been rendered "harmless" by the previous cleansing of the Registry of the crucial related entries, so that it will no longer start at boot time even if present). It also deletes the backup version. See attached log file.

Interestingly, there is a "$$DELETEME..." version of the corrupt RPCSS.DLL that I don't know exactly where it came from... either the SFC repair, or the rerun of HitmanPro (which seems unlikely)?? It won't go away, but it is the bad object.

I give up for now. I need further advice on how to manually recover the 547,328 version from 2008... either from the C:\Windows\Winsxs backup where it lives, or from the D Recovery partition.

Sorry dsperber, I shoveled a lot of snow yesterday and fell asleep early.

Let me catch up answering your posts.

Post 47 -> D:\Recovery.
The rpcss.ddl in D:\Recovery is the base install for a Dell Vista - or should be. A scan didn't pick it up so, it's probably NOT infected. If the MD5 is unique then you'll have to sig a little deeper, but methinks it's ok.

I would make the OEM Recovery discs before nuking D:

Post 48 -> ESET
C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988_rpcss.dll_fd3e269b
>> Win32/Patched.IB trojan error while cleaning
This is in the backup folder for Winsxs - ESET failed to clean it, perhaps because it's in winsxs.
I'm not sure what to do with it.

The rpcss.dll in D:\Recovery is probably good, getting it might be difficult. On my HP, the part is hidden and has a destop.ini that puts up a HTML screen when you view the part. Getting around that is the easy part.

The base Windows files needed to begin a Recovery are or should be visible, but everything else is packed away in the install wim files.

Gregrocker is a whiz at this stuff.

Just make sure every one knows this is VISTA, Noel particularly. He might offer you replacement file(s) from Win7 if that is left unclear.

I'll go back thru the thread and collect your logs. I like to make it easier for people coming in cold to a thread. I'll match the log fiels to the malware guide, and try to make chronological order out of it.

The System Update Readiness Tool (SURT) might help, I'm not sure.
SURT used to carry a few cabs when it was used to prepare Vista for an ungrade to Win7.
Lately though, SURT on Win7 is related to Windows Update issues only.

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

"access denied" when using "assoc" and "ftype" from cmdline?I tried to associate the file extension .txt to a new editor program
with the well known cmdline programs ASSOC and FTYPE.
No, assigning them through WinExplorer menu does not work.
But this is another problem which should not discussed here.
When I type now one of the following...

MBAM Pro settings - how to automatically get "missed updates"?I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude").
I would like...

System Security

Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...

Browsers & Mail

Remove "labels" from drive types in "Computer" window?Hi there,
I didn't really know how to google for this (although I did), so I didn't find anything proper and like to ask you: How do I remove the "labels" from drive types in "Computer" window? What I mean:
http://dl.getdropbox.com/u/16751/computer_labels.jpg
These labels above the different...